Categories

Sidney Gross

BBC Watchdog (a consumer protection television program) is today airing a report on 'food fraud' against the UK-based Deliveroo service. Food is ordered via the Deliveroo iOS or Android apps, and delivered to the customer. It appears, however, that scores of customers have recently been charged for food they didn't order; food that was actually delivered to complete strangers.

Deliveroo is adamant that it has not suffered a breach, and that no card details or other personal information has been stolen. "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers," it said in a statement. "These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach." Deliveroo is reimbursing the customers.

If Deliveroo is correct in this statement, it raises several other issues. Firstly, yes and obviously, users need to start practicing better password hygiene. Secondly, Deliveroo needs to improve its security in terms of fraud detection and customer authentication. Thirdly, it is not immediately apparent how the fraudster benefits from this fraud.

The reaction from most security vendors is simple. Single factor password authentication is no longer adequate. Users should have unique strong passwords for every service they use, while vendors should implement and insist on multi-factor authentication. It seems clear that multi-factor authentication (MFA) hasn't been implemented because Deliveroo has sought a frictionless experience for its users. Furthering this frictionless approach, Deliveroo maintains the customers' card details to allow easily repeatable orders -- but does not require the 3-digit security number when taking new orders.

This fits in with the idea that the fraudster/s used credentials obtained from other hacks and released on the internet -- that is all they would need. Kaspersky Lab's David Emm comments, "Businesses must ensure they implement two-factor authentication, so that credentials stolen from another site would not be sufficient for an attacker to get access to their customers' accounts."

F-Secure's Sean Sullivan agrees. "An app such as this probably really requires that the app vendor requests the account holder's phone number -- and then sends an SMS with a code in order to activate the app. If all it relies on is a password… then any old fraudster will be able to exploit the system for free food. If a second factor of some sort is used during setup, it limits the risk. But that's the thing… start-ups want to be 'frictionless' to setup. So, Deliveroo will just have to eat the costs, if it can."

But you can have frictionless MFA with modern smartphones using, for example, facial recognition.

It is difficult at this point to know whether Deliveroo has adequate fraud prevention systems simply because there is insufficient information yet. But it seems unlikely.

The BBC reports, "User Judith MacFadyen, from Reading, told Watchdog: 'I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London.'" Four separate orders on one account to two addresses in one afternoon should really trip warning flags.

The third puzzle is how does the fraudster benefit from food delivered to different parts of the country? Three locations are mentioned by the BBC; London, Reading and Manchester. Manchester and London are 200 miles apart. It could still be simple food fraud. Sullivan explains, "All the fraudster needs to do is to have the food delivered to a public address such as a coworking space. Or even just the front of some building -- the app lets you track the delivery -- so the fraudster would know when to step forward to claim the order. The delivery person isn't going to be able to vet the person picking up the food is actually the legitimate account holder. They'll just hand over the food to the person who knows the order ID."

But multiple orders in one afternoon and such diverse delivery locations suggest it could equally be something different. ESET Senior Research Fellow David Harley commented, "I wouldn’t be surprised if it did turn out to be due to the action of a person or persons targeting the company by getting food delivered to what may be randomly-selected addresses. A disgruntled employee? A competitor using information provided by a mole? A hacker for hire, or just doing it because it amuses them and they can? I don’t know, but I'll be watching future developments with interest."

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Symantec made its first major acquisition of the Blue Coat Systems era with a $ 2.3 billion acquisition of identity protection firm LifeLock.

The Symantec-LifeLock deal is expected to close in the first quarter of 2017; the antivirus software maker paid $ 24 a share for LifeLock, which is approximately 16 percent higher than LifeLock's closing stock price of $ 20.75. Rumors of the acquisition emerged last week with Bloomberg News reporting that Symantec, along with investment firms Permira and TPG Capital, were interested in bidding on LifeLock.

The LifeLock purchase comes just a few months after a major shakeup at Symantec. The security software giant purchased web and cloud security firm Blue Coat Systems for $ 4.65 billion in June; Blue Coat CEO Greg Clark was named as Symantec's chief executive, filling the voice left by former CEO Michael Brown, who resigned from Symantec in April.

However, the acquisition of LifeLock is a departure from Symantec's recent efforts to chart a new course beyond its legacy antivirus and consumer-focused businesses and focus on new opportunities in cloud security. Following the Blue Coat acquisition, Symantec outlined its "cloud generation" vision, which was carried over from Blue Coat's own strategy to increase its cloud security offerings and combine them with existing web and networking technology.

But in Symantec's second quarter 2017 earnings call earlier this month, Clark stated that although the consumer security business had been in decline, he felt there was still room to grow.

"We believe the market opportunity for protecting consumers is larger than what our current consumer products address today," Clark said. "As we move to further penetrate these opportunities, we expect the Consumer Security business to improve its growth trajectory as we move beyond the PC."

In a conference call Monday, Clark said LifeLock's technology will compliment Symantec's Norton consumer products and expand the scope of consumer security offerings.

"Consumers pay between 2x and 3x more for identify protection than they pay for endpoint malware protection," he said. "With this acquisition Symantec accelerates its Consumer Business' return to growth by offering a digital safety platform to protect information, devices, networks and identities of consumers."

LifeLock, which was founded in 2005, has established itself as one of the leading companies in the consumer identity protection market, but the company ran afoul of the U.S. Federal Trade Commission over the years. In 2010, the company paid $ 12 million to settle claims that it used false claims to promote its identity theft protection services. Under the 2010 settlement, LifeLock agreed to refrain from making deceptive marketing claims and promised to "take more stringent measures to safeguard the personal information they collect from customers," according to the FTC.

However, in 2015 LifeLock was forced to pay an additional $ 100 million to settle FTC contempt charges after the agency found that LifeLock had violated aspects of the 2010 settlement. Specifically, the FTC said LifeLock "failed to establish and maintain a comprehensive information security program to protect users' sensitive personal information including their social security, credit card and bank account numbers." In addition, the FTC found that LifeLock continued to engage in false advertising claims and failed to abide by the 2010 settlement's recordkeeping requirements.

Next Steps

Learn how behavioral assessments can benefit threat detection

Read more on the most important endpoint security features for enterprises

ERPScan research team specializes in vulnerability research andanalysis of critical enterprise applications. It was acknowledgedmultiple times by the largest software vendors like SAP, Oracle,Microsoft, IBM, VMware, HP for discovering more than 400vulnerabilities in their solutions (200 of them just in SAP!).

Our team consists of highly-qualified researchers, specialized invarious fields of cybersecurity (from web application to ICS/SCADAsystems), gathering their experience to conduct the best SAP securityresearch.

11. ABOUT ERPScan

ERPScan is the most respected and credible Business ApplicationCybersecurity provider. Founded in 2010, the company operates globallyand enables large Oil and Gas, Financial, Retail and otherorganizations to secure their mission-critical processes. Named as anaEmerging Vendora in Security by CRN, listed among aTOP 100 SAPSolution providersa and distinguished by 30+ other awards, ERPScan isthe leading SAP SE partner in discovering and resolving securityvulnerabilities. ERPScan consultants work with SAP SE in Walldorf toassist in improving the security of their latest solutions.

ERPScanas primary mission is to close the gap between technical andbusiness security and provide solutions for CISO's to evaluate andsecure SAP and Oracle ERP systems and business-critical applicationsfrom both cyberattacks and internal fraud. As a rule, our clients arelarge enterprises, Fortune 2000 companies and MSPs, whose requirementsare to actively monitor and manage security of vast SAP and Oraclelandscapes on a global scale.

We afollow the suna and have two hubs, located in Palo Alto andAmsterdam, to provide threat intelligence services, continuous supportand to operate local offices and partner network spanning 20+countries around the globe.

Kiwicon Michele Orru has released an automated phishing toolkit to help penetration testers better exploit businesses.

The well-known FortConsult hacker, better known as Antisnatchor (@antisnatchor), dropped the phishing kit at the Kiwicon hacking event in Wellington New Zealand last week, offering hackers tips to more successfully target businesses through the world's most popular attack vector.

Dubbed "PhishLulz", the Ruby-based toolkit builds on Orru's expertise in phishing. It spawns new Amazon EC2 cloud instances for each phishing campaign and combines a GUI from the PhishingFrenzy kit with the popular BeEF browser client-side attack framework for which he is a core developer.

It also sports a self-signed certificate authority, additional new phishing templates for various scenarios a hacker may encounter, and will in the future be even more powerful with automatic domain registration, for now limited to registrar NameCheap.

All told hackers using the toolkit will be able to send more convincing and much faster phishing emails from seemingly legitimate domains, be alerted immediately when login credentials are received, and send exploits and gain user target configuration information such as operating system and browser versions along with other running software via BeEF.

It also includes MailBoxBug which handles the fistful of popped email accounts that Orru says typically flows in at a rate of one a minute. It works on Office365 accounts with more support to follow.

Phishing emails developed with PhishLulz are designed to trick discerning targets. An impressive 40 percent of staff at an unnamed Australian Government agency opened Orru's phishing emails and sent him corporate VPN credentials during a previous security test engagement.

Michele Orru. Image: Darren Pauli / The Register.

It took only two days for the hacker to gain domain administrator credentials after employees at the agency handed over VPN logins via Orru's phishing campaign.

"I was in Poland, and they were in Australia, so I had to send the emails at the right time," Orru told the hacking conference.

"With five minutes to run the PhishLulz VM, five minutes to start modify the template and upload the certificates you need, you're ready to go."

Orru says PhishLulz will help hackers get past the first time-sensitive hurdle of obtaining and utilising stolen credentials, saying that attackers will have perhaps an hour to exploit the dozen or so logins they receive before it is revoked by administrators.

You need to automate as much as possible and speed is key once you have access to credentials

He offered further pointers; the best times to send phishing emails are in the morning or just after lunch when staffer's wits are less sharp. Few staff can identify dots from dashes in URLs, nor do they pick .co vs .com.

Most phishing emails need to be highly customised to work, Orru says, unless the target is "dumb".

Orru, an open source advocate, invited interested hackers to contribute to the project. ®

A vulnerability in any one of these would reach a long way into the wild. The Snapdragon X20, to pick one example, is in current-generation smartphones from Google, Samsung, Motorola, LG, ZTE, Sony, Asus, HTC, and HP.

Because the company has about 65 per cent of the LTE market, the Quadrooter bug that landed during Def Con in August was thought to affect up to 900 million devices.

Qualcomm's note at HackerOne gives white hats a pretty wide brief: Linux kernel code 3.14 or newer in the Android for MSM project, written by the Qualcomm Innovation Center and not in an end-of-life branch.

There are also rewards for bootloader bugs, anything that has root or system, privileges, the modem, networking firmware (Wi-Fi and Bluetooth), or the Qualcomm Secure Execution on Trustzone.

Merely crashing a process isn't enough; the bug has to then let the attacker get to code execution. ®

Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database was downloaded by at least one third party, and it’s likely being traded online.

Troy Hunt, the security researcher who runs the Have I been Pwned? service and whose own information is in the compromised backup file, received the file, and ultimately notified GitHub of the matter.

His analysis of the file ultimately revealed that:

It contains 8.2 million unique email addresses, i.e. records about 8.2 million users of GitHub, Bitbucket (another web-based hosting service for projects), and possibly other online services.

Most of these records contain users’ names, usernames, email address, geographic location, professional skills, years of professional experience.

All of this information is already online on GitHub and those other services, accessible to anybody – GeekedIn just scraped it and created its own database, access to which is offered to companies interested in finding developers – for a fee.

When contacted, GitHub said that they allow third parties scraping of their users’ data, so long as it’s only used for the same purpose for which they gave that information to GitHub.

“Using scraped information for a commercial purpose violates our privacy statement and we do not condone this kind of use,” they told Hunt.

After he finally managed to get in touch with GeekedIn, they acknowledged the incidente and promised to secure the data.

Hunt made some of this data searchable in raw format through his service, but only a little over 1 million users will be able to find it. He only included the data of those who had a publicly available email address on GitHub.

“This incident is not about any sort of security vulnerability on GitHub’s behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service,” he made sure to note.

Honeypots provide the best way I know of to detect attackers or unauthorized snoopers inside or outside your organization.

For decades I've wondered why honeypots weren't taking off, but they finally seem to be reaching critical mass. I help a growing number of companies implement their first serious honeypots -- and the number of vendors offering honeypot products, such as Canary or KFSensor, continues to grow.

If you're considering a honeypot deployment, here are 10 decisions you'll have to make.

1. What's the intent?

Honeypots are typically used for two primary reasons: early warning or forensic analysis. I'm a huge proponent of early-warning honeypots, where you set up one or more fake systems that would immediately indicate maliciousness if even slightly probed.

Early-warning honeypots are great at catching hackers and malware that other systems have missed. Why? Because the honeypot systems are fake -- and any single connection attempt or probe (after filtering out the normal broadcasts and other legitimate traffic) means malicious action is afoot.

The other major reason companies deploy honeypots is to help analyze malware (especially zero days) or help determine the intent of hackers.

In general, early-warning honeypots are much easier to set up and maintain than forensic analysis honeypots. With an early-warning honeypot, when you detect a probe or connection attempt, the mere connection attempt gives you the information you need, and you can follow the probe back to its origination to begin your next defense.

Forensic analysis honeypots, which can capture and isolate the malware or hacker tools, are merely the beginning of a very comprehensive analysis chain. I tell my customers to plan on allocating several days to several weeks for each analysis performed using a honeypot.

2. What to honeypot?

What your honeypots mimic is usually driven by what you think can best detect hackers earliest or best protect your "crown jewel" assets. Most honeypots mimic application servers, database servers, web servers, and credential databases such as domain controllers.

You can deploy one honeypot that mimics every possible advertising port and service in your environment or deploy several, with each one dedicated to mimicking a particular server type. Sometimes honeypots are used to mimic network devices, such as Cisco routers, wireless hubs, or security equipment. Whatever you think hackers or malware will most likely to attack is what your honeypots should emulate.

3. What interaction level?

Honeypots are classified as low, medium, or high interaction. Low-interaction honeypots only emulate listening UDP or TCP ports at their most basic level, which a port scanner might detect. But they don't allow full connections or logons. Low-interaction honeypots are great for providing early warnings of malicious behavior.

Medium-interaction honeypots offer a little bit more emulation, usually allowing a connection or logon attempt to appear successful. They may even contain basic file structures and content that could be used to fool an attacker. High-interaction honeypots usually offer complete or nearly complete copies of the servers they emulate. They're useful for forensic analysis because they often trick the hackers and malware into revealing more of their tricks.

4. Where should you place the honeypot?

In my opinion, most honeypots should be placed near the assets they are attempting to mimic. If you have a SQL server honeypot, place it in the same datacenter or IP address space where your real SQL servers live. Some honeypot enthusiasts like to place their honeypots in the DMZ, so they can receive an early warning if hackers or malware get loose in that security domain. If you have a global company, place your honeypots around the world. I even have customers who place honeypots that mimic the CEO's or other high-level C-level employees' laptops to detect if a hacker is trying to compromise those systems.

5. A real system or emulation software?

Most honeypots I deploy are fully running systems containing real operating systems -- usually old computers ready for retirement. Real systems are great for honeypots because attackers can't easily tell they're honeypots.

I also install a lot of honeypot emulation software; my longtime favorite is KFSensor. The good ones, like KFSensor, are almost "next, next, next" installs, and they often have built-in signature detection and monitoring. If you want low-risk, quick installs, and lots of features, honeypot emulation software can't be beat.

6. Open source or commercial?

There are dozens of honeypot software programs, but very few of them are supported or actively updated a year after their release. This is true for both commercial and open source software. If you find a honeypot product that's updated for longer than a year or so, you've found a gem.

Commercial products, whether new or old, are usually easier to install and use. Open source products, like Honeyd (one of the most popular programs) are usually much harder to install, but often far more configurable. Honeyd, for example, can emulate nearly 100 different operating systems and devices, down to the subversion level (Windows XP SP1 versus SP2 and so on), and it can be integrated with hundreds of other open source programs to add features.

7. Which honeypot product?

As you can tell, I'm partial to commercial products for their feature sets, ease of use, and support. In particular, I'm a fan of KFSensor. If you choose an open source product, Honeyd is great, but possibly overly complex for the first-time honeypot user. Several honeypot-related websites, such as Honeypots.net, aggregate hundreds of honeypot articles and link to honeypot software sites.

8. Who should administer the honeypot?

Honeypots are not set-and-forget it solutions -- quite the opposite. You need at least one person (if not more) to take ownership of the honeypot. That person must plan, install, configure, update, and monitor the honeypot. If you don't appoint at least one honeypot administrator, it will become neglected, useless, and at worst, a jumping-off spot for hackers.

9. How will you refresh the data?

If you deploy a high-interaction honeypot, it will need data and content to make it look real. A one-time copy of data from somewhere else isn't enough; you need to keep the content fresh.

Decide how often to update it and by what method. One of my favorite methods is to use a freely available copy program or a copy commands to replicate nonprivate data from another server of a similar type -- and initiate the copy every day using a scheduled task or cron job. Sometimes I'll rename the data during the copy so that it appears more top secret than it really is.

10. Which monitoring and alerting tools should you use?

A honeypot isn't of any value unless you enable monitoring for malicious activity -- and set up alerts when threat events occur. Generally, you'll want to use whatever methods and tools your organization routinely uses for this. But be warned: Deciding what to monitor and alert on is often the most time-consuming part of any honeypot planning cycle.

Here’s an overview of some of last week’s most interesting news and articles:

Yahoo breach was not state-sponsored, researchers claimThe massive 2014 Yahoo breach isn’t the work of state-sponsored hackers as the company has claimed to believe, say researchers from identity protection and threat intelligence firm InfoArmor. Instead, the breach was effected by a group of professional blackhats believed to be from Eastern Europe.

Mobile security stripped bare: Why we need to start againThere are three main threat vectors for mobile devices: targeting and intercepting the communications to and from devices; targeting the devices’ external interfaces (Cellular, WiFI, Bluetooth, USB, NFC, Web etc.) for the purpose of device penetration and planting malicious code; and targeting the data on the device and the resources/functions the device/underlying OS provides access to such as microphone, camera, GPS, etc.

ICS-CERT releases new tools for securing industrial control systemsThe Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies.

OS analysis tool osquery finally available for WindowsNearly two years after Facebook open sourced osquery, the social networking giant has made available an osquery developer kit for Windows, allowing security teams to build customized solutions for Windows networks.

DefecTor: DNS-enhanced correlation attacks against Tor usersA group of researchers from Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attacks that can be leveraged to deanonymize Tor users.

Incident response survival guideHere are some steps that will allow organizations to minimize the damage when a security breach occurs.

Enhance iMessage security using ConfideOne of the new features in iOS 10 offers the possibility of deploying specially crafted applications within iMessage. Most users will probably (ab)use this new functionality for sending tiresome animations and gestures, but some applications can actually provide added value for iMessage communication.

Why digital hoarding poses serious financial and security risks82 percent of IT decision makers admit they are hoarders of data and digital files. These include: unencrypted personal records, job applications to other companies, unencrypted company secrets and embarrassing employee correspondence.

Clear and present danger: Combating the email threat landscapeAs long as organisations use email to send and receive files, malicious email attachments will continue to plague corporate inboxes.

Europol identifies eight main cybercrime trendsA significant proportion of cybercrime activity still involves the continuous recycling of relatively old techniques, security solutions for which are available but not widely adopted.

Microsoft equips Edge with hardware-based containerWindows Defender Application Guard is a lightweight virtual machine that prevents malicious activity coming from the web from reaching the operating system, apps, data, and the enterprise network.

Rise of the drones: Managing a new risk environmentMore drones in the skies raise a number of new safety concerns, ranging from collisions and crashes to cyber-attacks and terrorism.

Swiss voters approve new surveillance lawThe Swiss Federal Intelligence Service will now be able to bug private property, phone lines, and wiretap computers (under certain conditions).

IoT-based DDoS attacks on the riseAs attackers are now highly aware of insufficient IoT security, many pre-program their malware with commonly used and default passwords, allowing them to easily hijack IoT devices. Poor security on many IoT devices makes them easy targets, and often victims may not even know they have been infected.

My organization is exploring the idea of implementing our own public key infrastructure. What are the benefits...

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

of having our own internal PKI -- especially in terms of costs and management?

It's quite common for large enterprises to run their own public key infrastructure (PKI), acting as an internal certificate authority (CA) and installing their own root certificate in the trust stores of all the company's devices. The main benefit of having internal PKI is that internal services can be configured to only accept certificates from the enterprise's own CA chain, in theory making it harder for hackers to impersonate genuine users. Digital certificates are a vital part of PKI security technologies like signed and encrypted email, signed documents, VPN access and SSL authentication because they provide a means to establish the ownership of an encryption key. The other benefit is that self-issued certificates are free, and that it's a solution that scales well. However, reality is somewhat different.

Microsoft Certificate Services, for example, provides all the software and programs needed to run an internal PKI, and is included with Windows enterprise servers. The root certificate can also be distributed to all domain-connected objects based on group policies. However, adding it to the trusted store of every version of every app on every machine is a lot more challenging. The certificates themselves may be free, but the resources required to securely manage internal PKI have to be factored into the overall cost. Not that many enterprises have internal IT staff who are qualified and capable of properly managing and securing a PKI in accordance with standards like CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, or the Mozilla CA Certificate Policy.

The security and integrity of the root signing keys are critical and require physical as well as logical security controls to be deployed. The mission-critical nature of a PKI means enterprises must be able to provide a constant quality of service, and perform specialist tasks required in certificate lifecycle management and validation services, such as renewing certificates, maintaining and updating certificate revocation lists and running online certificate status protocol services.

Before deciding to implement internal PKI, carefully weigh the costs of the necessary hardware, staff and infrastructure against the costs of outsourcing. An in-house CA is only really useful for internal corporate use, as its certificates won't be trusted by devices and services outside of the organization. Internet-facing servers will still need a certificate from a publicly recognized CA. Most public CAs specializing in outsourcing now offer Active Directory integration and cost-effective certificate options for internal purposes, eliminating the hassle of managing an internal CA, while offering technical expertise and the latest in security technologies.